There is only one news story this week which has directly affected as many as 20% of the population of the whole world. It is not the post-election problems in the US, nor the UK’s proposed departure from the EU. It is not climate change, which affects us all but has not been particularly prominent in the news of the past week. It is the shocking revelation that a total of 1.5 billion user accounts with Yahoo! have been compromised. Yet it has passed with remarkably little comment.
In case one in five of the global population doesn’t seem particularly impressive, the total number of compromised accounts is close to the total population of the whole of north America, south America, and of Europe, combined. It is also larger than the population of India, or even that of China. These two breaches are on an unprecedented scale by any comparison.
Not only that, but the disclosure just before the end of 2016 refers to breaches which occurred not this year, not even last year, but in 2013 and 2014, when US and European politics were totally different – halcyon days indeed. Since those breaches occurred, around 400 million babies have been born – that’s more than the entire population of the USA – and over 150 million people have died.
In fact, the total number of Yahoo! accounts which have been breached far exceeds the total of active monthly users. If you have or had a Yahoo! account, chances are that it has been compromised. It might actually be quicker and simpler for Yahoo! to reveal how few of its accounts haven’t yet been compromised.
There can surely be no greater shame to any custodian of personal details that most of them have been stolen, and that it has taken around three years to discover and admit to that theft.
Any bank which were to suffer a loss of its cash reserves on a similar scale, and not to detect the loss for so long, would surely be shut down by public pressure and banking regulators. Yet the remarkable fact is that Yahoo! is currently in the process of being bought by Verizon for $4.8 billion, admittedly a fraction of its former worth. Even if that price were to be reduced in the light of these breaches, I suspect that there will be no shortage of individuals, maybe institutions, who will benefit handsomely from that.
It is now more clear than ever that the main reason that there continue to be so many huge breaches of personal information is financial: it is cheaper for those to whom we trust our data to not look after it diligently, and accept the risk of its theft or loss, than it is for them to do the job properly.
Just a few days ago, the operators of the Ashley Madison dating service agreed with the US Federal Trade Commission (FTC) and state regulators to pay a $1.6 million penalty for their exposure of the personal data of 36 million users. That values each user’s personal data at less than five cents. It is no small wonder that so many breaches occur: even when so many users are affected, the penalties are paltry.
Not a cent of that penalty will go to compensate those whose data was compromised, and despite an ongoing class action lawsuit, most legal experts accept that the chances of anyone obtaining appropriate compensation through the courts is very small.
Time after time these massive breaches of personal information are met with pitifully small penalties.
The regulators, in US states, the FTC, in individual European data protection authorities, and elsewhere throughout the world, now have a chance to put this right. Breaches on an unprecedented scale, detected and disclosed after such a long period, deserve maximum penalties, and – where possible – the closure of operations.
Ashley Madison’s penalty is at least conditional on its changing its data protection practices and policies; if it fails to satisfy the FTC that it is now (eighteen months after its breach) protecting personal data properly, it could face further penalties.
For Yahoo! this is a lost cause, it is long past any hope of redemption. It is time to liquidate, and for others to learn that when you screw up on that scale, the penalty is corporate death. In some other business cultures, senior officers of the company would actually take their own lives: I would not condone such actions, but for some of them to walk away with their share of the proceeds of the sale to Verizon would be obscene. It would confirm what many of us fear, that in big business executives have protected themselves far better than they have protected their customers.
The only appropriate and commensurate penalty for these breaches is for Yahoo! to be closed. That would be an extraordinary measure, but Yahoo!’s failings have been on an extraordinary scale, a scale which surpasses anything in human history by at least an order of magnitude.
That might help others see the value of investing in better protection for our personal data. Anything less than that will once again reward those who failed to take care of our data, and perpetuate this crime of profit.